Sorry, couldn't think of a better forum...
I suspect antivirus tools just check for "characteristic signatures" in files and, from that, deduce that the file is "infected". The thinking being that these combinations of bytes don't appear in "normal" software.
Assuming that to be true:
- how long are these signatures? i.e., do the tools check for a fixed number of bytes in all "programs"? Or, do they effectively verify the presence of the entire viral payload?
- for DLL infections, do they hook DLLmain? Or, pick some "random" (all?!) entry point in the library and "hope for the best" (worst)?
Finally, is it TYPICALLY an exercise in futility to try to remove/"comment out" the viral load (if it is always an initial stanza, then one should be able to just "skip past it"; if tightly interwoven in the code, "ain't gonna happen")?
Pointers to literature?